Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for Controlling Switch Access with Passwords and Privileges
The following are the restrictions for controlling switch access with passwords and privileges:
Disabling password recovery will not work if you have set the switch to boot up
manually by using the boot manual global configuration
command. This command produces the boot loader prompt (switch:) after the
switch is power cycled.
Default Password and Privilege Level Configuration
A simple way of providing terminal access control in your network is to use passwords and assign privilege levels. Password protection restricts access to a network or network device. Privilege levels define what commands users can enter after they have logged into a network device.
This table shows the default password and privilege level configuration.
Table 1 Default Password and Privilege Levels
Feature
Default Setting
Enable password and privilege level
No password is defined. The default is level 15 (privileged EXEC level). The password is not encrypted in the configuration file.
Enable secret password and privilege level
No password is defined. The default is level 15 (privileged EXEC level). The password is encrypted before it is written to the configuration file.
Line password
No password is defined.
Additional Password Security
To provide an additional layer of security, particularly for passwords that cross the
network or that are stored on a Trivial File Transfer Protocol (TFTP) server, you can
use either the enable password or enable
secret global configuration commands. Both commands accomplish the
same thing; that is, you can establish an encrypted password that users must enter to
access privileged EXEC mode (the default) or any privilege level you specify.
We recommend that you use the enable secret command because it
uses an improved encryption algorithm.
If you configure the enable secret command, it takes
precedence over the enable password command; the two commands
cannot be in effect simultaneously.
If you enable password encryption, it applies to all passwords including username passwords, authentication key passwords, the privileged command password, and console and virtual terminal line passwords.
By default, any end user with physical access to the Catalyst 3850 switch can recover from a lost password by interrupting the boot process while the switch is powering on and then by entering a new password.
The password-recovery disable feature protects access to the switch password by disabling part of this functionality. When this feature is enabled, the end user can interrupt the boot process only by agreeing to set the system back to the default configuration. With password recovery disabled, you can still interrupt the boot process and change the password, but the configuration file (config.text) and the VLAN database file (vlan.dat) are deleted.
If you disable password recovery, we recommend that you keep a backup copy of the configuration file on a secure server in case the end user interrupts the boot process and sets the system back to default values. Do not keep a backup copy of the configuration file on the switch. If the switch is operating in VTP transparent mode, we recommend that you also keep a backup copy of the VLAN database file on a secure server. When the switch is returned to the default system configuration, you can download the saved files to the switch by using the Xmodem protocol.
To re-enable password recovery, use the service
password-recovery global configuration command.
When you power-up your switch for the first time, an automatic setup program runs to assign IP information and to create a default configuration for continued use. The setup program also prompts you to configure your switch for Telnet access through a password. If you did not configure this password during the setup program, you can configure it when you set a Telnet password for a terminal line. For more information on doing this, see Related Topics.
You can configure username and password pairs, which are locally stored on the switch. These pairs are assigned to lines or ports and authenticate each user before that user can access the switch. If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair.
Cisco switches (and other devices) use privilege levels to provide password security for different levels of switch operation. By default, the Cisco IOS software operates in two modes (privilege levels) of password security: user EXEC (Level 1) and privileged EXEC (Level 15). You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
Privilege Levels on Lines
Users can override the privilege level you set using the privilege
level line configuration command by logging in to the line and
enabling a different privilege level. They can lower the privilege level by using the
disable command. If users know the password to a higher
privilege level, they can use that password to enable the higher privilege level. You
might specify a high level or privilege level for your console line to restrict line
usage.
For example, if you want many users to have access to the clear
line command, you can assign it level 2 security and distribute the level
2 password fairly widely. But if you want more restricted access to the
configure command, you can assign it level 3 security and
distribute that password to a more restricted group of users.
Command Privilege Levels
When you set a command to a privilege level, all commands whose syntax is a subset of
that command are also set to that level. For example, if you set the show ip
traffic command to level 15, the show
commands and show ip commands are automatically set to
privilege level 15 unless you set them individually to different levels.
How to Control Switch Access with Passwords and Privilege Levels
Setting or Changing a Static Enable Password
The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC mode, follow these steps to set or change a static enable password:
SUMMARY STEPS
1.configureterminal
2.enable passwordpassword
3.end
DETAILED STEPS
Command or Action
Purpose
Step 1
configureterminal
Example:
Switch# configure terminal
Enters the global configuration mode.
Step 2
enable passwordpassword
Example:
Switch(config)# enable password secret321
Defines a new password or changes an existing password for access to privileged EXEC mode.
By default, no password is defined.
For password, specify a string from 1 to 25 alphanumeric
characters. The string cannot start with a number, is case sensitive, and allows
spaces but ignores leading spaces. It can contain the question mark (?) character
if you precede the question mark with the key combination Crtl-v when you create
the password; for example, to create the password abc?123, do this:
Enter abc.
Enter Crtl-v.
Enter ?123.
When the system prompts you to enter the enable password, you need not precede the question mark with the Ctrl-v; you can simply enter abc?123 at the password prompt.
Protecting Enable and Enable Secret Passwords with Encryption
Beginning in privileged EXEC mode, follow these steps to establish an encrypted password that users must enter to
access privileged EXEC mode (the default) or any privilege level you specify:
Defines a new password or changes an existing password for access to privileged EXEC mode.
Defines a secret password, which is saved using a nonreversible encryption method.
(Optional) For level, the range is from 0 to
15. Level 1 is normal user EXEC mode privileges. The default level is
15 (privileged EXEC mode privileges).
For password, specify a string from 1 to 25
alphanumeric characters. The string cannot start with a number, is
case sensitive, and allows spaces but ignores leading spaces. By
default, no password is defined.
(Optional) For encryption-type, only type 5,
a Cisco proprietary encryption algorithm, is available. If you specify
an encryption type, you must provide an encrypted password—an
encrypted password that you copy from another switch
configuration.
Note
If you specify an encryption type and then enter a clear text password, you can not re-enter privileged EXEC mode. You cannot recover a lost encrypted password by any method.
Step 3
service password-encryption
Example:
Switch(config)# service password-encryption
(Optional) Encrypts the password when the password is defined or when the configuration is written.
Encryption prevents the password from being readable in the configuration file.
Beginning in privileged EXEC mode, follow these steps to disable password recovery to protect the security of your switch:
Before You Begin
If you disable password recovery, we recommend that you keep a backup copy of the configuration file on a secure server in case the end user interrupts the boot process and sets the system back to default values. Do not keep a backup copy of the configuration file on the switch. If the switch is operating in VTP transparent mode, we recommend that you also keep a backup copy of the VLAN database file on a secure server. When the switch is returned to the default system configuration, you can download the saved files to the switch by using the Xmodem protocol.
SUMMARY STEPS
1.configureterminal
2.no service password-recovery
3.end
DETAILED STEPS
Command or Action
Purpose
Step 1
configureterminal
Example:
Switch# configure terminal
Enters the global configuration mode.
Step 2
no service password-recovery
Example:
Switch(config)# no service password-recovery
Disables password recovery.
This setting is saved in an area of the flash memory that is accessible by the boot loader and the Cisco IOS image, but it is not part of the file system and is not accessible by any user.
Step 3
end
Example:
Switch(config)# end
Returns to privileged EXEC mode.
What to Do Next
To re-enable password recovery, use the service
password-recovery global configuration command.
Beginning in user EXEC mode, follow these steps to set a Telnet password for the connected terminal line:
Before You Begin
Attach a PC or workstation with emulation software to the switch console port, or attach a PC to the Ethernet management port.
The default data characteristics of the console port are 9600, 8, 1, no parity. You might need to press the Return key several times to see the command-line prompt.
SUMMARY STEPS
1.enable
2.configure terminal
3.line vty 0 15
4.passwordpassword
5.end
DETAILED STEPS
Command or Action
Purpose
Step 1
enable
Example:
Switch> enable
Note
If a password is required for access to privileged EXEC mode, you will be prompted for it.
Enters privileged EXEC mode.
Step 2
configure terminal
Example:
Switch# configure terminal
Enters global configuration mode.
Step 3
line vty 0 15
Example:
Switch(config)# line vty 0 15
Configures the number of Telnet sessions (lines), and enters line configuration mode.
There are 16 possible sessions on a command-capable switch. The 0 and 15 mean that you are configuring all 16 possible Telnet sessions.
Step 4
passwordpassword
Example:
Switch(config-line)# password abcxyz543
Sets a Telnet password for the line or lines.
For password, specify a string from 1 to 25 alphanumeric
characters. The string cannot start with a number, is case sensitive, and allows
spaces but ignores leading spaces. By default, no password is defined.
Sets the username, privilege level, and password for each user.
For name, specify the user ID as one word. Spaces
and quotation marks are not allowed.
(Optional) For level, specify the privilege level
the user has after gaining access. The range is 0 to 15. Level 15 gives
privileged EXEC mode access. Level 1 gives user EXEC mode access.
For encryption-type, enter 0 to specify that an
unencrypted password will follow. Enter 7 to specify that a hidden password
will follow.
For password, specify the password the user must
enter to gain access to the switch. The password must be from 1 to 25
characters, can contain embedded spaces, and must be the last option
specified in the username command.
Step 3
Use one of the following:
line console 0
line vty 0 15
Example:
Switch(config)# line console 0
or
Switch(config)# line vty 15
Enters line configuration mode, and configures the console port (line 0) or the VTY lines (line 0 to 15).
Step 4
login local
Example:
Switch(config-line)# login local
Enables local password checking at login time. Authentication is based on the username specified in Step 2.
Beginning in privileged EXEC mode, follow these steps to set the privilege level for a command:
SUMMARY STEPS
1.configureterminal
2.privilegemodelevellevelcommand
3.enable password levellevelpassword
4.end
DETAILED STEPS
Command or Action
Purpose
Step 1
configureterminal
Example:
Switch# configure terminal
Enters the global configuration mode.
Step 2
privilegemodelevellevelcommand
Example:
Switch(config)# privilege exec level 14 configure
Sets the privilege level for a command.
For mode, enter
configure for global configuration mode,
exec for EXEC mode,
interface for interface configuration mode,
or line for line configuration mode.
For level, the range is from 0 to 15. Level 1 is
for normal user EXEC mode privileges. Level 15 is the level of access
permitted by the enable password.
For command, specify the command to which you want
to restrict access.
Specifies the password to enable the privilege level.
For level, the range is from 0 to 15. Level 1 is
for normal user EXEC mode privileges.
For password, specify a string from 1 to 25
alphanumeric characters. The string cannot start with a number, is case
sensitive, and allows spaces but ignores leading spaces. By default, no
password is defined.
Beginning in privileged EXEC mode, follow these steps to change the default privilege level for the specified line:
SUMMARY STEPS
1.configureterminal
2.line vtyline
3.privilege levellevel
4.end
DETAILED STEPS
Command or Action
Purpose
Step 1
configureterminal
Example:
Switch# configure terminal
Enters the global configuration mode.
Step 2
line vtyline
Example:
Switch(config)# line vty 10
Selects the virtual terminal line on which to restrict access.
Step 3
privilege levellevel
Example:
Switch(config)# privilege level 15
Changes the default privilege level for the line.
For level, the range is from 0 to 15. Level 1 is for
normal user EXEC mode privileges. Level 15 is the level of access permitted by the
enable password.
Step 4
end
Example:
Switch(config)# end
Returns to privileged EXEC mode.
What to Do Next
Users can override the privilege level you set using the privilege
level line configuration command by logging in to the line and
enabling a different privilege level. They can lower the privilege level by using the
disable command. If users know the password to a higher
privilege level, they can use that password to enable the higher privilege level. You
might specify a high level or privilege level for your console line to restrict line
usage.
Example: Setting or Changing a Static Enable Password
This example shows how to change the enable password to l1u2c3k4y5. The password is not encrypted and provides access to level 15 (traditional privileged EXEC mode access):
Example: Setting the Privilege Level for a Command
This example shows how to set the configure command to
privilege level 14 and define SecretPswd14 as the password
users must enter to use level 14 commands: